A log file, or log, is a recording of events taking place in the execution of a system in order to provide an audit trail. The audit trail can be used to understand the activity of the system and to diagnose problems. In effect, a log file may be considered a black box, or closed-circuit television (CCTV), for a computer system. Logs may be generated by the operating system (OS) kernel, as well as by various server applications, e.g., web, domain name, mail, and database servers. When system administrators suspect a potential attack, they typically turn to logs to investigate the attack. By examining the logs, an administrator may detect committed attacks, unsuccessful trials, and potential threats.
Since modern attackers are aware of this recorded evidence, attackers often try to remove traces of their attacks from logs whenever possible. Accordingly, making system logs tamper proof and ensuring that the removal of traces from such logs is impossible has become imperative in this time of escalating cyber-attacks.
The criticality of information contained within system logs has been widely recognized by researchers. There have been several software-based and hardware-assisted approaches for protecting logs. These conventional approaches aim to protect logs from unauthorized access through encryption. However, the log files are typically still stored on hard disk drives (HDD). Should an attacker manage to obtain root privileges at a computer system, encryption cannot safeguard logs from information removal as the attacker may simply delete or corrupt the entire HDD.